Recopila datos Sysmon de Microsoft Windows
Compatible con:
SecOps de Google
SIEM
.
Este documento:
- describe la arquitectura de implementación y los pasos de instalación, y cualquier configuración necesaria que produzca registros compatibles con Google Security Operations Analizador para eventos Sysmon de Microsoft Windows. Para obtener una descripción general de los datos de Google Security Operations consulta Transferencia de datos a Google Security Operations.
- incluye información sobre cómo el analizador asigna campos en el registro original a los campos del Modelo de datos unificados de Google Security Operations.
La información de este documento se aplica al analizador con la etiqueta de transferencia WINDOWS_SYSMON. La etiqueta de transferencia identifica qué analizador normaliza los datos de registro sin procesar en formato UDM estructurado.
Antes de comenzar
Revisa la arquitectura de implementación recomendada
Este diagrama representa los componentes principales recomendados de una implementación para recopilar y enviar datos de Microsoft Windows Sysmon a Google Security Operations. Compara esta información con tu entorno para asegurarte de que los componentes esté instalado. Cada implementación de cliente diferirá de esta representación y puede puede ser más complejo. Se requiere lo siguiente:
- Los sistemas en la arquitectura de implementación se configuran con la UTC zona horaria.
- Sysmon se instala en servidores, endpoints y controladores de dominio.
- El servidor de colector de Microsoft Windows recibe registros de servidores, endpoints y los controladores de dominio.
Los sistemas Microsoft Windows en la arquitectura de implementación usan lo siguiente:
- Fuentes de suscripciones iniciadas para recopilar eventos en varios dispositivos.
- Servicio WinRM para la administración de sistemas remotos.
NXLog está instalado en el servidor de Windows del colector para reenviar los registros a Servicio de reenvío de Google Security Operations.
El servidor de reenvío de Google Security Operations se instala en un servidor central de Microsoft Windows o en un servidor Linux.
Revisa los dispositivos y las versiones compatibles
El analizador de Google Security Operations admite registros generados por los siguientes servicios de Microsoft Windows: varias versiones del servidor. Microsoft Windows Server se lanza con las siguientes ediciones: Foundation, Essentials, Standard y Datacenter. El esquema de eventos de los registros generadas por cada edición no difiere.
- Microsoft Windows Server 2019
- Microsoft Windows Server 2016
- Microsoft Windows Server 2012
El analizador de Google Security Operations admite registros generados por los siguientes recursos:
- Sistemas cliente de Microsoft Windows 7 y versiones posteriores
- Sysmon versión 13.24.
El analizador de Google Security Operations admite registros recopilados por la comunidad o empresa de NXLog. Edición.
Revisa los tipos de registros compatibles
El analizador de Google Security Operations admite los siguientes tipos de registros generados por Microsoft Windows. Sysmon Para obtener más información sobre estos tipos de registros, consulta la Documentación de Microsoft Windows Sysmon. Admite registros generados con texto en inglés y no es compatible con registros generados en idiomas distintos al inglés.
| Tipo de registro | Descripción |
|---|---|
| Registros Sysmon | El canal Sysmon contiene 27 IDs de eventos. (ID de evento: 1 a 26 y 255). Para obtener una descripción de este tipo de registro, consulta Microsoft Windows Documentación de Sysmon Events |
Configura servidores, extremos y controladores de dominio de Microsoft Windows
- Instalar y configurar los servidores, los extremos y los controladores de dominio Para obtener más información, consulta Documentación de Microsoft Windows Sysmon Configuration.
- Configura un servidor de colector de Microsoft Windows para analizar los registros recopilados de múltiples sistemas.
- Configura el servidor central de Microsoft Windows o Linux
- Configura todos los sistemas con la zona horaria UTC.
- Configura los dispositivos para reenviar registros al servidor Microsoft Windows de colector.
- Configurar las suscripciones iniciadas por el origen en los sistemas Microsoft Windows Para información, consulta Cómo configurar una suscripción iniciada por la fuente
- Habilitar WinRM en los servidores y clientes de Microsoft Windows Para obtener más información, consulta Instalación y configuración de la administración remota de Microsoft Windows.
Configura el agente de BindPlane
Recopila los registros Sysmon de Windows mediante el agente de BindPlane.
Después de la instalación, el servicio del agente de BindPlane aparece como el servicio observerIQ en la lista de servicios de Windows.
- Instalar el agente de BindPlane en el colector que se ejecuta en un servidor de Windows Para obtener más información sobre cómo instalar el agente de BindPlane, consulta las instrucciones de instalación del agente de BindPlane.
Crea un archivo de configuración para el agente de BindPlane con el siguiente contenido.
receivers: windowseventlog/sysmon: channel: Microsoft-Windows-Sysmon/Operational raw: true processors: batch: exporters: chronicle/winsysmon: endpoint: https://malachiteingestion-pa.googleapis.com creds: '{ "type": "service_account", "project_id": "malachite-projectname", "private_key_id": `PRIVATE_KEY_ID`, "private_key": `PRIVATE_KEY`, "client_email":"`SERVICE_ACCOUNT_NAME`@malachite-`PROJECT_ID`.iam.gserviceaccount.com", "client_id": `CLIENT_ID`, "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/`SERVICSERVICE_ACCOUNT_NAME`%40malachite-`PROJECT_ID`.iam.gserviceaccount.com", "universe_domain": "googleapis.com" }' log_type: 'WINDOWS_SYSMON' override_log_type: false raw_log_field: body customer_id: `CUSTOMER_ID` service: pipelines: logs/winsysmon: receivers: - windowseventlog/sysmon processors: [batch] exporters: [chronicle/winsysmon]Reemplaza
PRIVATE_KEY_ID,PRIVATE_KEY,SERVICSERVICE_ACCOUNT_NAME,PROJECT_ID,CLIENT_IDyCUSTOMER_IDpor los valores correspondientes del archivo JSON de la cuenta de servicio que puedes descargar desde Google Cloud Platform. Para obtener más información sobre las claves de cuentas de servicio, consulta la documentación Crea y borra claves de cuentas de servicio.Para iniciar el servicio del agente de observadorIQ, selecciona Servicios > Extendido > Servicio de observadorIQ > iniciar.
Configurar NXLog y el servidor de reenvío de Google Security Operations
- Instala NXLog en el colector que se ejecuta en un servidor de Windows. Sigue el Documentación de NXLog, que incluye información sobre configuración de NXLog para recopilar registros de Sysmon.
Crea un archivo de configuración para NXLog. Usa el im_msvistalog. El siguiente es un ejemplo de configuración de NXLog. Reemplaza los valores
<hostname>y<port>con información sobre el el servidor central de destino de Microsoft Windows o Linux. Para obtener más información, consulta la documentación de NXLog sobre los Módulo om_tcp.define ROOT C:\Program Files (x86)\nxlog define SYSMON_OUTPUT_DESTINATION_ADDRESS <hostname> define SYSMON_OUTPUT_DESTINATION_PORT <port> define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _json> Module xm_json </Extension> <Input windows_sysmon_eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> </Query> </QueryList> </QueryXML> ReadFromLast False SavePos False </Input> <Output out_chronicle_sysmon> Module om_tcp Host %SYSMON_OUTPUT_DESTINATION_ADDRESS% Port %SYSMON_OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000; Exec to_json(); </Output> <Route r2> Path windows_sysmon_eventlog => out_chronicle_sysmon </Route>Instala el servidor de reenvío de Google Security Operations en el servidor central de Microsoft Windows o Linux. Consulta Cómo instalar y configurar el objeto Forwarder en Linux. o Instalación y configuración del servidor de reenvío en Microsoft Windows para obtener información sobre cómo instalar y configurar el servidor de reenvío.
Configurar el servidor de reenvío de Google Security Operations para enviar registros a Google Security Operations Este es un ejemplo de configuración de reenvío.
- syslog: common: enabled: true data_type: WINDOWS_SYSMON Data_hint: batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10518 connection_timeout_sec: 60Inicia el servicio de NXLog.
Referencia de la asignación de campos: campos de eventos del dispositivo a campos UDM
En esta sección, se describe cómo el analizador asigna los campos de registro del dispositivo original a Campos del modelo de datos unificados (UDM) La asignación de campos puede variar ID del evento
Campos comunes
| Campo NXLog | Campo de UDM |
|---|---|
| UtcTime | metadata.event_timestamp |
| Categoría | security_result.summary y metadata.product_event_type |
| AccountName | principal.user.userid |
| Dominio | principal.administrative_domain |
| RecordNumber | metadata.product_log_id |
| HostName | principal.hostname |
| UserID | principal.user.windows_sid |
| SeverityValue | security_result.severity |
| ProcessID | observer.process.pid |
| ProviderGuid | observer.asset_id |
| LogonId | principal.network.session_id |
| ThreadID | Se estableció additional.fields.key en thread_id y
valor almacenado en additional.fields.value.string_value |
| Canal | Se estableció additional.fields.key en channel y
valor almacenado en additional.fields.value.string_value |
| EventID | Se estableció security_result.rule_name en EventID: <EventID>Se estableció metadata.product_event_type en <Category> [<EventID>] |
ID de evento: 1
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to PROCESS_LAUNCH |
|
| RuleName | security_result.rule_name |
| UtcTime | metadata.event_timestamp |
| ProcessGuid | target.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
| ProcessId | target.process.pid |
| IntegrityLevel | The value for the field target.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
| Image | target.process.file.full_path |
| FileVersion | target.asset.software.version |
| Description | target.asset.software.description |
| Product | target.asset.software.name |
| Company | target.asset.software.vendor_name |
| CommandLine | target.process.command_line |
| CurrentDirectory | additional.fields.key set to current_directory and
value stored in additional.fields.value.string_value |
| User | Domain stored in principal.administrative_domainUsername stored in principal.user.userid |
| Hashes | Based on Hash algorithm.
|
| ParentProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ParentProcessGuid> |
| ParentProcessId | principal.process.pid |
| ParentImage | principal.process.file.full_path |
| ParentCommandLine | principal.process.command_line |
ID de evento: 2
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to FILE_MODIFICATION |
|
| RuleName | security_result.rule_name |
| UtcTime | metadata.event_timestamp |
| ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
| ProcessId | principal.process.pid |
| IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
| Image | principal.process.file.full_path |
| TargetFilename | target.file.full_path |
| CreationUtcTime | target.resource.attribute.labels.key set to CreationUtcTime and value
stored in target.resource.attribute.labels.value |
| PreviousCreationUtcTime | target.resource.attribute.labels.key set to PreviousCreationUtcTime and
value stored in target.resource.attribute.labels.value |
ID de evento: 3
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to NETWORK_CONNECTIONsecurity_result.action set to ALLOWnetwork.direction set to OUTBOUND |
|
| RuleName | security_result.rule_name |
| UtcTime | metadata.event_timestamp |
| ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
| ProcessId | principal.process.pid |
| IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
| Image | principal.process.file.full_path |
| User | Domain stored in principal.administrative_domainUsername stored in principal.user.userid |
| Protocol | network.ip_protocol |
| SourceIp | principal.ip |
| SourcePort | principal.port |
| DestinationIp | target.ip |
| DestinationHostname | target.hostname |
| DestinationPort | target.port |
ID de evento: 4
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to SETTING_MODIFICATIONtarget.resource.resource_type set to SETTINGtarget.resource.resource_subtype set to State |
|
| UtcTime | metadata.event_timestamp |
| State | target.resource.name |
| Version | metadata.product_version |
ID de evento: 5
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to PROCESS_TERMINATION |
|
| RuleName | security_result.rule_name |
| UtcTime | metadata.event_timestamp |
| ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
| ProcessId | target.process.pid |
| IntegrityLevel | The value for the field target.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
| Image | target.process.file.full_path |
ID de evento: 6
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to PROCESS_MODULE_LOAD |
|
| RuleName | security_result.rule_name |
| UtcTime | metadata.event_timestamp |
| ImageLoaded | principal.process.file.full_path |
| Hashes | The field populated is determined by the Hash algorithm.
|
| Signed | target.resource.attribute.labels.key set to Signed and value set to
target.resource.attribute.labels.value |
| Signature | target.resource.attribute.labels.key set to Signature and value stored in
target.resource.attribute.labels.value |
| SignatureStatus | target.resource.attribute.labels.key set to SignatureStatus and value
stored in target.resource.attribute.labels.value |
ID de evento: 7
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to PROCESS_MODULE_LOAD |
|
| RuleName | security_result.rule_name |
| UtcTime | metadata.event_timestamp |
| ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
| ProcessId | principal.process.pid |
| IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
| Image | principal.process.file.full_path |
| ImageLoaded | target.process.file.full_path |
| FileVersion | target.asset.software.version |
| Description | target.asset.software.description |
| Product | target.asset.software.name |
| Company | target.asset.software.vendor_name |
| Hashes | The field populated is determined by the Hash algorithm.
|
| Signed | target.resource.attribute.labels.key set to Signed and value stored in
target.resource.attribute.labels.value |
| Signature | target.resource.attribute.labels.key set to Signature Signature value in target.resource.attribute.labels.value |
| SignatureStatus | target.resource.attribute.labels.key set to SignatureStatus and value
stored in target.resource.attribute.labels.value |
ID de evento: 8
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to PROCESS_MODULE_LOAD |
|
| RuleName | security_result.rule_name |
| UtcTime | metadata.event_timestamp |
| SourceProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<SourceProcessGuid> |
| SourceProcessId | principal.process.pid |
| SourceImage | principal.process.file.full_path |
| TargetProcessGuid | target.process.product_specific_process_id set to
SYSMON:<TargetProcessGuid> |
| TargetProcessId | target.process.pid |
| TargetImage | target.process.file.full_path |
ID de evento: 9
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to FILE_READ
If the |
|
| RuleName | security_result.rule_name |
| UtcTime | metadata.event_timestamp |
| ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
| ProcessId | principal.process.pid |
| IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
| Image | principal.process.file.full_path |
| Device | target.file.full_path |
ID de evento: 10
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to PROCESS_OPENtarget.resource.resource_subtype set to GrantedAccess |
|
| RuleName | security_result.rule_name |
| UtcTime | metadata.event_timestamp |
| SourceProcessGUID | principal.process.product_specific_process_id set to
SYSMON:<SourceProcessGUID> |
| SourceProcessId | principal.process.pid |
| SourceImage | principal.process.file.full_path |
| TargetProcessGUID | target.process.product_specific_process_id set to
SYSMON:<TargetProcessGUID> |
| TargetProcessId | target.process.pid |
| TargetImage | target.process.file.full_path |
| GrantedAccess | target.resource.name |
ID de evento: 11
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to FILE_CREATIONtarget.resource.resource_subtype set to CreationUtcTime |
|
| RuleName | security_result.rule_name |
| UtcTime | metadata.event_timestamp |
| ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
| ProcessId | principal.process.pid |
| IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
| Image | principal.process.file.full_path |
| TargetFilename | target.file.full_path |
| CreationUtcTime | target.resource.name |
ID de evento: 12
| Campo NXLog | Campo de UDM |
|---|---|
If the Message the field contains CreateKey|CreateValue, then
metadata.event_type set to REGISTRY_CREATIONIf the Message field contains DeleteKey|DeleteValue, thenmetadata.event_type set to REGISTRY_DELETIONOtherwise, metadata.event_type set to REGISTRY_MODIFICATION |
|
| RuleName | security_result.rule_name |
| UtcTime | metadata.event_timestamp |
| ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
| ProcessId | principal.process.pid |
| IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
| Image | principal.process.file.full_path |
| TargetObject | target.registry.registry_key |
ID de evento: 13
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to REGISTRY_MODIFICATION |
|
| RuleName | security_result.rule_name |
| UtcTime | metadata.event_timestamp |
| ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
| ProcessId | principal.process.pid |
| IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
| Image | principal.process.file.full_path |
| TargetObject | target.registry.registry_key |
| Details | target.registry.registry_value_data |
ID de evento: 14
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to REGISTRY_MODIFICATION |
|
| RuleName | security_result.rule_name |
| UtcTime | metadata.event_timestamp |
| ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
| ProcessId | principal.process.pid |
| IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
| Image | principal.process.file.full_path |
| TargetObject | src.registry.registry_key |
| NewName | target.registry.registry_key |
ID de evento: 15
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to FILE_CREATION |
|
| RuleName | security_result.rule_name |
| UtcTime | metadata.event_timestamp |
| ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
| ProcessId | principal.process.pid |
| IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
| Image | principal.process.file.full_path |
| TargetFilename | target.file.full_path |
| CreationUtcTime | target.resource.attribute.labels.key set to CreationUtcTime and value
stored in target.resource.attribute.labels.value |
| Hash | The field populated is determined by the Hash algorithm.
|
ID de evento: 16
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to SETTING_MODIFICATION |
|
| UtcTime | metadata.event_timestamp |
| ProcessID | target.process.pid |
| Configuration | The value is stored in target.process.command_line when this field value
contains any command line or processThe value is stored in target.process.file.full_path when this field value
contains the configuration file path. |
| ConfigurationFileHash | The field populated is determined by the Hash algorithm.
|
ID de evento: 17
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to PROCESS_UNCATEGORIZEDtarget.resource.resource_type set to PIPE |
|
| RuleName | security_result.rule_name |
| UtcTime | metadata.event_timestamp |
| ProcessGuid | target.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
| ProcessId | target.process.pid |
| IntegrityLevel | The value for the field target.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
| PipeName | target.resource.name |
| Image | target.process.file.full_path |
ID de evento: 18
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to PROCESS_UNCATEGORIZEDtarget.resource.resource_type set to PIPE |
|
| RuleName | security_result.rule_name |
| UtcTime | metadata.event_timestamp |
| ProcessGuid | target.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
| ProcessId | target.process.pid |
| IntegrityLevel | The value for the field target.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
| PipeName | target.resource.name |
| Image | target.process.file.full_path |
ID de evento: 19
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to USER_RESOURCE_ACCESS |
|
| RuleName | security_result.rule_name |
| UtcTime | metadata.event_timestamp |
| Operation | |
| User | The Domain is stored in principal.administrative_domainThe Username is stored in principal.user.userid |
| EventNamespace | target.file.full_path |
| Name | target.application |
| Query | target.resource.name |
ID de evento: 20
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to USER_RESOURCE_ACCESS |
|
| RuleName | security_result.rule_name |
| UtcTime | metadata.event_timestamp |
| Operation | target.resource.attribute.labels.key set to Operation and the value is
stored in target.resource.attribute.labels.value |
| User | The domain is stored in principal.administrative_domainThe Username is stored in principal.user.userid |
| Name | target.resource.attribute.labels.key set to Name Name value in target.resource.attribute.labels.value |
| Type | target.resource.attribute.labels.key set to Type and the value is stored
in target.resource.attribute.labels.value |
| Destination | target.resource.name |
ID de evento: 21
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to USER_RESOURCE_ACCESS |
|
| RuleName | security_result.rule_name |
| UtcTime | metadata.event_timestamp |
| Operation | target.resource.attribute.labels.key set to Operation and the value is
stored in target.resource.attribute.labels.value |
| User | The domain is stored in principal.administrative_domainThe username is stored in principal.user.userid |
| Consumer | target.resource.attribute.labels.key set to Consumer and the value is
stored in target.resource.attribute.labels.value |
| Filter | target.resource.name |
ID de evento: 22
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to NETWORK_DNSnetwork.application_protocol set to DNS |
|
| RuleName | security_result.rule_name |
| UtcTime | metadata.event_timestamp |
| ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
| ProcessId | principal.process.pid |
| IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
| QueryName | network.dns.questions |
| QueryStatus | Stored in security_result.summary as Query Status: <QueryStatus> |
| QueryResults | Type is saved to network.dns.answers.type with values separated by a
semicolon (;)Data is saved to network.dns.answers.data Values that do not have type are mapped to network.dns.answers.data. |
| Image | principal.process.file.full_path |
ID de evento: 23
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to FILE_DELETION |
|
| RuleName | security_result.rule_name |
| UtcTime | metadata.event_timestamp |
| ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
| ProcessId | principal.process.pid |
| IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
| User | Domain stored into principal.administrative_domainUsername stored in principal.user.userid |
| Image | principal.process.file.full_path |
| TargetFilename | target.file.full_path |
| Hashes | The field populated is determined by the Hash algorithm.
|
| IsExecutable | Field target.resource.attribute.labels.key set to IsExecutable and the
value is stored in target.resource.attribute.labels.value |
| Archived | target.resource.attribute.labels.key set to Archived and the value is
stored in target.resource.attribute.labels.value |
ID de evento: 24
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to RESOURCE_READ |
|
| RuleName | security_result.rule_name |
| UtcTime | metadata.event_timestamp |
| ProcessGuid | target.process.product_specific_process_id set to
SYSMON:<ProcessGuid> |
| ProcessId | principal.process.pid |
| IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
| Image | target.process.file.full_path target.resource.name |
| ClientInfo | ip stored in target.iphostname stored in target.hostnameuser stored in principal.user.userid |
| Hashes | The field populated is determined by the Hash algorithm.
|
| Archived | target.resource.attribute.labels.key set to Archived and value stored in
target.resource.attribute.labels.value |
ID de evento: 25
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to PROCESS_LAUNCH |
|
| RuleName | security_result.rule_name |
| UtcTime | metadata.event_timestamp |
| ProcessGuid | target.process.product_specific_process_id stored as
SYSMON:<ProcessGuid> |
| ProcessId | principal.process.pid |
| IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
| Image | target.process.file.full_path |
ID de evento: 26
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to FILE_DELETION |
|
| RuleName | security_result.rule_name |
| UtcTime | metadata.event_timestamp |
| ProcessGuid | principal.process.product_specific_process_id set to
SYSMON:<%{ProcessGuid}> |
| ProcessId | principal.process.pid |
| IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
| User | Domain set to principal.administrative_domainUsername set to principal.user.userid |
| Image | principal.process.file.full_path |
| TargetFilename | target.file.full_path |
| Hashes | Based on Hash algorithm. MD5 set to target.process.file.md5SHA256 set to target.process.file.sha256SHA1 set to target.process.file.sha1 |
| IsExecutable | target.resource.attribute.labels.key set to IsExecutable & value in
target.resource.attribute.labels.value |
ID de evento: 29
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to FILE_CREATION |
|
| RuleName | security_result.rule_name |
| UtcTime | metadata.event_timestamp |
| ProcessGuid | principal.process.product_specific_process_id is set to
SYSMON:<PROCESS_GUID>
PROCESS_GUID is the ProcessGuid. The ProcessGuid field is a unique value for this process across a domain to make event correlation easier.
|
| ProcessId | principal.process.pid |
| IntegrityLevel | The value for the field principal.process.integrity_level_rid
is determined based on the value of the field IntegrityLevel as follows:
|
| User | Domain is set to principal.administrative_domainUsername is set to principal.user.userid |
| Image | principal.process.file.full_path |
| TargetFilename | target.file.full_path |
| Hashes | Based on the hash algorithm, the following values are set:
|
ID de evento: 255
| Campo NXLog | Campo de UDM |
|---|---|
metadata.event_type set to SERVICE_UNSPECIFIEDmetadata.product_event_type set to Error - [255]target.application set to Microsoft Sysmon |
|
| UtcTime | metadata.event_timestamp |
| ID | security_result.summary |
| Description | security_result.description |